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RECEIVED 
CENTRAL FAX CENTER 

NOV 0 3 2006 

Remarks 

Status of application 

Claims 1-78 were cxamiacd and stand rejected in view of prior art. The elaims 
have been amended to further clarify Applicant's invention. Reexamination and 
reconsideration are respectfully requested. 

The invention 

The present invention provides a system including methodologies for 
automatically detecting when a computer or device is plugged into a new network (or 
subnet). The system enables the user of the computer or device to decide whether or not 
he or she wants to permit the new netwotk to bo included as part of a trusted zone (i.e., a 
group of computers and devices amongst which information is exchanged relatively 
freely). Alternatively, Ihe decision to include or exclude a newly identified network can 
be made by a previously established policy adopted by the user or an administrator. The 
system also automatically reconfigures a firewall to include or exclude the new network 
from the trusted zone. 

The system lirst delects a connection to a new network by receiving notice of 
changes to an existing network configuration and evaluating these changes. Next, the 
new network is profiled and an identity is gencmted for the new network. The process of 
profiling a network involves collecting a number of items of information about the 
network in order to uniquely identify that specific network. This proliling process 
enables the system to generate a unique identilier for ihe network. Once a network has 
been identified, a user may elect whedier or not tiiat network is to be included as part of 
his or bcr trusted zone. Alternatively, the decision about whether or not to include a 
network as part of a trusted zone may be determined by a policy established by a system 
administrator or usen The new trusted ^one definition, which either includes or excludes 
the new network, is automatically sent to the fux^wall for enforcement. The profile of 
each network is stored so that the next time the device is connected to the same networic 
it will remember tie network and apply the same security settings previously adopted for 
that network. The stored pro (lie also facilitates the detection of changes to the network 
configuration or the connection of the device to a new networic. 
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The system also includes configuration options that permit a system administrator 
or user to pre-configure the security settings of each system to identify networks that are 
part ofthe irusled zone. The system administrator or user may also pre-configure the 
system so that all unknown networks will be automatically excluded from the trusted 
zone. 

Applicant's InformatjoA Disclosure Statement 

Applicant electronically filed an Information Disclosure Statement (IDS) on 
November 21, 2003, a copy of which is attached herewith (as downloaded from the 
Officers PAIR system). As a signed copy of Applicant's IDS was not returned with the 
present OITiee Action, it is respeelfully requested that the Examiner consider the art listed 
in the IDS, and return a signed copy of the IDS acknowledging that the listed art was 
considered. 

Prior art rejections 

A. Section 102 rejection: Bonn 

Claims 1-19, 21-23, 25, 27-60, 62. and 64-78 stand rejected under 35 U.S.C. 
1 02(e) as being clearly anticipated by Bonn ei al., U.S. Pat. No. 6,738,908, hereinafter 
*'Bonn^\ The Examiner's rejection of these claims is as follows: 

As pre claims 1-19, 21-23, 25, 27-60, 62, and 64-78 Bonn '908 teach a 
generalized network security policy templates for implementing similar 
network security policies across multiple networks comprising: a client 
device/network element or Network security device "NSD" to regulate 
access to different networks, obtaining information to Identify a particular 
client device, adapter /Ethernet cards, networks, generate a network 
profile, a current network profile, comparing profiles to determine if said 
device previously connected to current networki and if so applying 
security settings, determining and applying security settings to be applied 
(if new), storing and automatically applying when clients connects, 
applying established security policy/profiles, trusted and un-trusted 
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networks/trusted/optional- trusted to an extent extemal-un-trosted, 
obtaining user input for security profiles, a default security setting 
template /minimal template, setting for firewalls, identi lying initial 
connections /new networks, a particular device configurations, a client, all 
network adapters, operating kernel /OS and memory a connection method 
/network TP, connection name / alias? gateway, private or public address, 
assigning a unique identifier to a profile/template or policy (abstract, figs. 
1-S, 15-18, background, and summary ct scq., coL 2, lines 4-4S ct scq., 
coL 3, lines 53-63, col 4, lines 6-15 et seq., col 4, lines 23-27 et seq,, col 
4, lines 64-67 et seq., fig» 2, figs. lA and 1 B, col 4, lines 38 et seq., col 
3, lines 60 et seq., (Ig. 15, col. 8, lines 1 -10 et seq., col 8, lines 5-15 et 
scq., col 1, lines 50 ct scq., col 6, lines 44 ct scq., fig. 17, col 8, lines 55 
ct scq., claims 1-8, fig. 4). 

As discussed below, Applicant's claimed invention may be distinguished on a variety of 
grounds. 

Bonn's teaching is directed to a template-based approach for expediting the 
deployment of security policies. There, the basic notion is to use policy "templates" that 
comprise network security rules specified with respect to one or more aliases. In other 
words, Bonn's basic approach, is to allow the generic elements of a network (e.g., mail 
host, printer, etc) to be described in terms of aUas descriptors or roles, instead of specific 
TP addresses, so that fairly generic templates having precondgured rules may be used (in 
a manner that is more expedient that configuring similar networks over and over again 
from scratch). The rules themselves arc specified in terms of specific network elements, 
such as user workstations, servers, routers, and printers* which perform certain functions, 
or "roles." For example, a rule in a network security policy for a particular network may 
specify that all email trafftc must flow fhrougih a network clement having a particular 
network address that is specifically configured as a mail host (i.e., "MailHost" alias). By 
using a template ^t contains rules expressed in terms of aliases or roles, ra&cr than in 
terms of specific network elements, Boim's template-based approach provides a more 
elTlcient solution for configuring similarnetworks, rather than simply creating individual 
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policies that are simlar entirely from scratch. 

To generate a policy for a particular network from a template » Bonn's facility uses 
a profile of the network that maps the aliases occurring in the template to specific 
network elements within the network. For example, the network profile for a particular 
network maps the "MailHost" alias to a particular network element of the network having 
a particular network address (i.e., TP address). The facility uses the profile lor the 
network to replace occurrences of aliases in the template with, the addresses of the 
corresponding specific network elements. 

Although Bonn's template-based approach undoubtedly is more efficient than 
configuring the same or similar networks over and over again from scratch, Bonn's 
approach does not include automatic detection of disparate networks (which may in fact 
be very dissimilar)^ and automatic firewall reconfiguration thereof* as a given device 
(e.g., laptop computer or other mobile device) is physically moved from one network 
(e.g., corporate network) to another (e.g., home network, or hotel wireless networic). 
Instead ai this point (i.e., at ihe point ofgenerating a profile for a network), Bonn's 
facility simply provides a user interface where the user himself or herself must spccity 
that a particular network is a "new" network and that it should have a particular profile 
(e.g., that the computer at IP address of so-and-so should be assigned the role of 
"MailHost"). Importantly, Bonn's facility has no means for the automatic detection or 
discovery of new networks as a given machhic (especially, a mobile computing device) is 
moved from one network connection to another. As Bonn lacks this key feature of 
Applicant's inventk)n, Bonn*s described facility cannot re-create Applicant's solution, as 
set forth in Applicant's claims* 

In order to understand this basic difference, it is worthwhile to review in further 
detail the specific problem addressed by Applicant's invention, as well as reviewing how 
Bonn's templates fail to provide any solution for that problem. Today, an increasingly 
large number of business and individual users arc using portable computing devices, such 
as laptop computers, that arc moved frequently and that connect into more than one 
network. For example, many users now have laptop computers ftat arc plugged into a 
corporate network during the day and are plugged into a home network during the 
evening. The number of mobile computing devices, and the networks that they connect 
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to, has increased dramatically in recent years. In addition, various different types of 
connections may be utilized to connect to these difierent networks, such as 802. 11 and 
Bluetooth. Wireless networks often have a large number ordifferent users that are 
occasionally connected from time to time. Moreover, connection to these networks is 
often very easy, as connection does not require a physical link. Wireless and other types 
ofnetworks are frequently provided in cafes, airports, convention centers, and other 
public locations to enable mobile computer users to connect to the Internet. Thus, it is 
becoming easier for users to connect to a number of different networks from time to time 
through a number of different means* 

In this mobile environment it is very desirable for a u^r to be able to distinguish 
between the various networlcs and devices to which he or she is connecting. For 
example, if a user is at homo, he or she most likely wants to allow very open 
communication with other home computers and devices. On the other hand, if the user is 
staying in a hotel, he or she would typically prefer much more limited communication 
with other computers and devices in the hotel. Tn this highly mobile environment 
described above, a significant problem is that many local networks use the same range of 
intemal IP addresses (e.g,, 10.10,x.x, 192.168.x.x, 172.x.x.x, etc.). As a result, mobile 
machines connecting to various different addresses cannot rely solely on IP addresses and 
subnet masks to identify a network or the machines and devices residing on the network. 
Applicant's invention addresses this problem by providing a solution that automatically 
discovers or detects new networks that a given mobile computing device connects to, and 
automatically reconfiguTies the device's Hrewall so that it may continue to receive 
protection from network threats (e.g., mtrusions, attacks, viruses, spyware, and the like). 

Bonn's focus, on the other hand, is the creation of his templates so that similar 
networks may be configured as to their generic (similar) netwoik elements (e.g., generic 
rules for mail server, for FTP server, for Web server, etc., as such elements are common 
to many networks). Bonn docs not, however, provide automatic detection and 
configuration of networks, as required by Applicant's patent claims. This point is made 
obvious by tracing through ^o user operation of Bonn's facility, as described m the Bonn 
patent. At the outset, the Bonn facility does not automatically detect new networks. 
Instead, the user must manually provide user input to identify a new network for the 
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Bonn facility, and in fact manually configiire that network down to individual IP address. 

Consider Bonn's Figs. 17-22, which show the configuration of a new network 
security device. In the dialog box shown in Bonn's Fig. 1 7, ihe Bonn user must first 
manually select "network security device configuration item 1712 and then selects Okay 
button 1720." (Bonn at coL 8, lines 55-59.) Then, the Bonn user must proceed to the 
dialog box shown in Bonn*s Fig. 18 to manually select "a template lor configuring the 
new network security device." (Bonn at col. 8, lines 60-67.) Now, the Bonn user must 
proceed to the dialog box shown in Bonn's Fig. 19 to manually instruct the system to 
generate a network profile (i,e„ a list of aliases for specific network elements that are to 
be protected). However even at this point, the Bonn facility has not automatically 
mapped the template to the new network. Instead, the Bonn user must manually invoke 
"Edit button 1924 for mapping iho aliases in the alias list to specific network elements 
within the network protected by the new network security device, in order to do so, the 
user selects each of the aliases 1921-1923 in turn, selecting the Edit button 1924 to define 
each." (Bonn at col 9, lines 1-10.) Upon invoking the Edit button 1924 in Bonn's 
facility, the dialog box shown in Fig. 20 is displayed whereupon the user must manually 
match addresses for defining aliases in the user-created network profile. For example, to 
match up the alias and rule for an internal Web server (alias equal "IntemalWebServer"), 
the Bonn user must manually enter a speci fie network (IP) address (address 2 1 1 5) in the 
dialog shown in Fig. 21 (Bonn at coL 9» lines 22-26)» As shown abovc» configuration of a 
network using the Bonn facility is hardly automatic* but instead reqtiires the Bonn user to 
perform many manual steps, including specifying what network (TP) address goes v^th a 
given alias. At bc8t» Bonn provides a facility lhat may be characterized as manual 
configuration of a nctwork/furcwall^ with some efficiency gains provided by starting with 
generic templates (i.e., ones having predefined rules for common network elements, such 
as mail server, FTP server, Web server, and the like). 

Applicant's invention provides the means for a mobile computer to dynamically 
reconfigure the computer's furcwall as that device is plugged into each nctwofk. Note in 
particular that a user cannot use the Bonn facility to rc-ctcatc diis functionality. For 
example, if the Examiner were to take a work laptop compxiter (e.g,, configured for PTO 
internal network) home (e.g., for connection to an ISP, such as AOL or Earthlink), the 
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Examiner could not rely oa the Bonn facility to automatically identify and reconfigure 
the laptop computer for the new network (home) connection. Instead, if the Examiner 
were lo rely on the Bonn facility, he would first have to manually identify the network to 
the Bonn facility (i.e., in accordance with the Bonn user interface shown at Figs. 17 and 
1 8). Next, the Examiner would have to complete a sequence of manual user input steps 
(Bonn user interface, at least using dialogs shown at Figs. 19-21), for selecting a 
particular template to use and for mapping addresses of network elements on the 
Examiner's home network with aliases provided by the selected template. And in fact, a 
template suitable for a home network may not exist, whereupon the Examiner would have 
to expend additional effort first creating a suitable template. As should be readily 
apparent, the Bonn user is typically a system administrator or other individual with a 
working knowledge of networks and network addresses. One could hardly expect the 
average computer user to know how to assign IP addresses of various network elements 
to aliases in a template-generated Bonn network profile. 

Turning now to the claims, one finds many differences between Applicant's 
claimed uivcntion and Bonn's facility; for example, Applicant's network profile provides 
an identification means (e.g.. based on MAC identifiers), whereas Bonn's "network 
profile" is really a merging of his template aliases with network addresses (e.g., IP 
address ofZZO. 15.23.97 assigned to "TntcmalWebServer" alias). Nevertheless, deference 
is given to the Examhxcr's interpretation that the clahns could be broadly mtcrprctcd to 
overlap with Bonn's described facility, Therefore, the claims have been amended to 
clarify that Applicant's claimed system and method automatically (i.e., without requiring 
manual user input) identifies and reconfigures devices for new network coimcctions. For 
example, amended claim 1 now reads (shown in amended form): 

1 , (Currently amended) A method for a mobile client device 
to regulate access to different networks that the client dcvicq may bff 
connected to ^ the method comprising: 

automatically obtaining information to identify adapters connected 
to a particular client device and networks to which said adapters are 
connected; 
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automatically generating a profile for each network, including a 
current network to which said particular client device is connected; 

automatically comparing said profile of said current network to 
previously generated profiles to determine if said particular client device 
has previously connected to said current network; and 

if said particular client device has previously connecied to said 
current network, automatically applying security settings previously 
utilized for said current network for regulating access to said current 
network* 

(Applicant's other independent claims have been amended in a like manner.) As 
shown, the amended claim language explicitly rcquhres Applicant's mc^od to 
automatically detect new networks and automatically reconfigure the device's security 
settings/firewall — ail without requiring manual user input. (As an optional feature, the 
user is allowed to intervene in the process, ifhe or she desires, but the user's participation 
is entirely optional and is not required to implement Applicant's invention.) The user 
input required in Bonn's user interface (Bonn's Figs. 17-22) teaches, if anything, away 
from Applicant's automated detection/dynamic reconfiguration approach, 

Tl is respectlully submitted that Applicant's claims, particularly in light oflhe 
foregoing amendments and clarifying remarks, set forth a patentable advance in the area 
of security/firewall management for mobile devices. Thus, it is believed that the 
amended claims distinguish over Bonn and that any rejection under Section 1 02 is 
overcome. 

B. Section 103 rejection: 

Claims 20, 24, 26, 6 1 , and 63 stand rejected under 35 U.S.C. 103(a) as being 
unpatentable over Bonn (above), as applied to claims 1-19, 21-23, 25, 27-60, 62, and 64- 
78 above, and fiirthcr in view of the Examiner's taking of official notice. Here, the 
Examiner repeats his rejection based on Bonn» but adds official notice for the purpose of 
characterizing Applicant's network profiles. The claims are believed to be allowable for 
at least the reasons described above (under the Section 102 rejection) regarding the 
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deficiencies of Bonn. The claims are also believed to be allowable for the following 
additional reasons. 

As described above. Applicants system creates a profile for each network, which 
essentially serves as a fingerprint or identifier allowing Applicant's system to "memorize" 
networks that have been previously encountered. In this manner, when a user's mobile 
device is switched from one network to another (e»g», switch from a corporate neiworic to 
a uscr*s home network). Applicants system can immediately and automatically identify 
previously encountered networks. This fmgcrprint or unique profile is based on 
information that is guaranteed to be unique, such as MAC identifiers (which are 
guaranteed to be unique across aU networks)^ Bonnes network profile, on the other hand, 
simply refers to the mapping between template aliases and manually specided (i.e., user- 
spcciftcd) network addresses, importantly, as Bonn provides no description about how to 
uniquely fingerprint or identifier different networks — including, for example^ no mention 
of the use of MAC identifiers — it is doubtful that Bonn's facility could address the basic 
problem ihat stems from the fact thai TP addresses of machines and devices on local 
networks arc not unique and, in fact, are frequently duplicated on other networks. 
Applicant's invention solves this problem. Bonn's facility cannot solve this problem, as 
his facility makes no effort to ID networks ai a liner level of granularity (e.g., based on 
MAC identiliers). 

Accordingly^ it is respect we submitted that these claims distinguish over the cited 
art. Particularly in view of the foregoing amendments and clarifying remarks, it is 
respectfully submitted that any rejection under Section 103 is overcome. 

Any dependent claims not explicitly discussed are believed to be allowable by 
virtue of dependency from Applicant's independent claims, as discussed in detail above. 

Conclusion 

In view of the foregoing remarks and the amendment to the claims, it is believed 
that all claims are now in condition for allowance. Hence, it is respectfully requested that 
the application be passed to issue at an early date. 
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If for any reason the Examiner feels that a telephone conference would in any way 
expedite prosecution of the subject application, the Examiner is invited to telephone the 
undersigned at 408 884 1507. 

Respectfully submitted. 



Date: November 3, 2006 



408 gS4 1507 
815 572 8299 KAX 



200B.11.(tt 
•00100* 



John A. Smart; Reg. No» 34,929 
Attorney of Record 
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1995-07-18 
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Remarks 

Note: Remailts are not for responding to an office action. 

This statement is not intended, to represent that a search has been made or that the 
information cited in the Statement is, or is considered to be, material to patentability as 
defined in Sec. 1.56. 
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